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Argument 

Security environment has changed during the past ten years 

Prevention always eventually fails somewhere, yet most people 
focus on it exclusively and ignore detection 

"Intrusion Detection" must be an investigative process; "Intrusion 
Prevention" does not require investigation 

"Intrusion Detection" as currently practiced is actually managing 
attack or suspicious behavior inferences 

True intrusion detection requires investigating facts, not managing 
alerts based on inferences 

Traffic-centric forensics provides trustworthy evidence although 
details may be obfuscated 
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Changing Security Environment 





1997 



COOOW 



Ul. HLINTIMl; 



Intruders obtain remote host control by abusing, 
subverting, or breaking unnecessary services 
and/or exposed services 



2007 




Intruders gain remote host control via 1) client- 
side breaches; 2) abusing or subverting exposed 
and necessary applications; 3) breaking exposed 



services 



Majority of malicious traffic is caused by humans 
interacting with targets 



Majority of malicious traffic is caused by 
automated code operating on behalf of humans 



Goal of exploitation is often control of target 



Goal of exploitation is often theft of sensitive data 



Defense involves preventing intrusions by 
applying patches for necessary services and 
disabling unnecessary services 



Defense involves properly designing, coding, and 
deploying complex individualistic applications for 
which no commodity "patch" is available 



Buffer overflows, SYN floods, and 
misconfiguration were the big problems 



Web application abuse/subversion, root kits, bot 
nets, exploiting consumer data, etc. are huge 



Too many managers still live in 1997, along with their 
defensive strategies 
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Prevention Eventually Fails 
Risk environment changes faster than prevention system 




Threats are 
exceptionally creative, 
numerous, determined, 
and always changing 




Defenses usually focus 
on attacks from the 
outside and cannot 
understand everything 
that happens 



S3 

Windows Vista 





II M 




New devices with various 
services and applications are 
always being introduced, 
often out of the control of the 
enterprise 
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Assets are stored 
anywhere and 
everywhere 





Prevention vs Detection 



When prevention succeeds, investigation is not required 

- Nothing about the target changed because traffic was denied 




| Attack 



STOP 




PHP 



Training Wheels without the Bike 





All other scenarios require investigation 

- Prevention system doesn't recognize attack, permits traffic 

- Passive detection system recognizes attack, triggers alert 

- Passive detection system doesn't recognize attack, ignores it 

Investigation requires having data to analyze 
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What Do Alerts Really Mean? 

"Intrusion Detection" systems are at best "incident 
indication" systems providing inferences based on 
observed events 
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82.16S.S0.118 



88 



69.143.282.28 



16SS 



ATTACK-RESPONSES id check r.. 



uid=0(root) gid=0(root) group s=0 (root) 

User visits www.testmyids.com. 

IDS says "I think I saw traffic that 
I've been programmed to report as 
the result of running the Unix id 
command as root. I need to alert." 

Replace this example with any of 
the thousands of alerts that have 
little to do with the intent of the 
detection system programmer 



m* Show Packet Data [^ Show Rule www.snort.org nud.nist.gov 



alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root'^ 
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; reu:G;) 
/hsmfrules/cel433/attack-responses.rules: Line 34 



Source IP 



DestIP 



Ver HL TOS len ID Flags Offset TTL kS 
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v 



6432 



HTTP/1. 1 ZOO OK. H 
.Date: Fri, 16 H 
ar Z007 19:Z0:10 
CUT. . Server: Ap 
ache/1. 3. 33 (Uni 
x ) . . L ast -Ho di f i e j 
d: Hon, 15 Jan Z 
007 23:11:55 GMT 
..ETag: "9b30607 
-Z7-45ac0a3b". .A 
ccept-Ranges: by 
t e s . . C ont ent - L en 
gth: 39. .Keep-Al 
i ve : t ime out = Z , 
max = Z00. . Connect- 
ion: Keep-Alive. 
. C ont ent - Typ e : t 
ext/html. . . .uid= 
O(root) gid=0(ro 
ot ) gr oup s = ( r o o 
It) . 




Inferences vs Facts 



This alert is an inference 



Count :1 Event#l. 200816 2007-03-16 19:20:07 

ATTACK-RESPONSES id check returned root 

82.165.50.118 -> 69.143.202.28 

IPVer=4 hlen=5 tos=32 dlen=363 ID=14523 flags=2 offset=0 ttl=43 chksum=33003 

Protocol: 6 sport=80 -> dport=1655 

Seq=4140666419 Ack=3568664633 Off=5 Res=0 Flags=***AP*** Win=6432 urp=44738 chksum=0 



This transcript is a fact 

Real intrusion detection 
implies identifying facts 

Which is better: 
conclusions based on 
facts or guesses based 
on assumptions? 



SRC: GET /HTTP/1.1 

SRC: Host: www.testmryids.com 

SRC: User-Agent: Mozilla/5.0 (Windows; U; Windows HT 5.0; en-US; rv:1.8.0.9) Gecko/20061206 

Firef ox/1. 5.0.9 

SRC: Accept: 

text/Kml,application/xml,application/Khtml+Kml,text/html;q=0.9,text/t)lain;q=0.8,image/t)ng^/*;q= 

0.5 

SRC: Accept-Language: en-us,en;q=0.5 

SRC: Accept-Encoding: gzip, deflate 

SRC: Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 

SRC: Keep-Alive: 300 

SRC: Connection: keep-aliue 

SRC: 

SRC: 

DST: tJlTP/1.1 200 OK 

DST: Date: FN, 16 Mar 2007 19:20:10 GMT 

DST: Server: Apache/1.3.33 (Unix) 

DST: Last-Modified: Mon, 15 Jan 2007 23:11:55 GMT 

DST: ETag: "9b30607-27-45ac0a3b" 

DST: Accent-Ranges: bytes 

DST: Content-Length: 39 

DST: Keep-Alive: timeout=2, max=200 

DST: Connection: Keep-Alive 

DST: Content-Type: text/html 

|DST: 

DST: uid=0(root) gid=0(root) groups=0(root) 

DST: 
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This Is Alert Management, Not Security Investigation 




1 . Dashboard shows alert 

2. Analyst looks at alert 

3. Alert does not reveal if attack succeeded 

4. Analyst looks for related alerts 

5. If any related alerts exist, none reveal if attack 
succeeded 

6. Repeat for next alert starting with Step 1 





'*'|pk Analyst sees 




original alert 



ALERT 



Database returns 
single alert 

+> ALERT 



Queries 
database 
for alerts 
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STOP 



Investigation 
ends 



v 




This Is Security Investigation, Not Alert Management 



Investigations with data present many more options 




I Analyst sees 
original alert 

ALERT 



Queries 
database 
for alerts 



Database returns 
single alert 

+ ALERT 



FULL CONTENT > 



FTP data channel 
allows analysis of 
intruder back door 



Reconstructs 

FTP control and 

data channels 



Queries 

database for 

sessions 



Analyst sees connections 
to other IPs 

■► SESSIONS — 



Queries 

database for 

sessions 



Analyst sees FTP 
to retrieve tools 

SESSIONS + 



...and the 
analyst was 
enlightened 
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Security Investigation Examples 



The following represent cases taken 
from a network for which I can fully 
authorize disclosing all event details 

Therefore, it does not represent the 
latest and greatest, uber-elite haxOr 
activity I may or may not see elsewhere 

The idea is to demonstrate an 
investigative methodology where 
network data is available for 
investigation 
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Example 1 : Alerts Are Enough 



In this example, other alerts imply the nature of the original alert 



Count :1 Event#l. 161790 2007-02-12 01:21:51 

BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Linux Source) 

86.123.192.184 -> 69.143.202.28 

IPVer=4 hlen=5 tos=32 dlen=78 ID=5907 flags=2 offset=0 ttl=37 chksum=6040 

Protocol: 6 sport=50000 -> dport=45673 

Seq=1162437692 Ack=2046273927 Off=ll Res=0 Flags=***AP*** Win=16022 urp=45361 chksum=0 

Payload: 

00 00 00 01 03 00 00 00 05 04 00 00 03 0B 



Date.'Time 



SrclP 



SPort Dst IP 



Event Message 



2007-02-1 1 1 8:32:02 86.1 23.1 92.1 84 

2007-02-1 2 01:21:51 86.1 23.1 92.1 84 

2007-02-11 18:49:46 69.143.202.28 

2007-02-11 18:50:08 69.143.202.28 

2007-02-11 19:03:21 69.143.202.28 



50000 69.143.202.28 

50000 69.143.202.28 

41933 86.123.192.184 

41933 86.123.192.184 

41933 86.123.192.184 



41933 6 SHELLCODE x86 inc ebx HOOP 

45673 6 BLEEDING-EDGE MALWARE SocksuS UDP Proxy Inb. 

50000 6 BLEEDING EDGE P2P BitTorrent Traffic 

50000 6 BLEEDING-EDGE P2P BitTorrent Traffic 

50000 6 BLEEDING-EDGE P2P BitTorrent Traffic 



2007-02-12 01:20:09 


69.143.202.28 


45673 


86.123.192.184 


50000 


6 


BLEEDING-EDGE P2P BitTorrent Traffic 


2007-02-12 01:20:09 


69.143.202.28 


45673 


86.123.192.184 


50000 


6 


BLEEDING-EDGE P2P BitTorrent Traffic 


2007-02-11 18:21:00 


69.143.202.28 


41933 


86.123.192.184 


50000 


6 


BLEEBING-EBGE P2P BitTorrent peer sync 


2007-02-11 18:21:00 


69.143.202.28 


41933 


86.123.192.184 


50000 


6 


BLEEDING-EDGE P2P BitTorrent peer sync 


2007-02-11 18:21:01 


69.143.202.28 


41933 


86.123.192.184 


50000 


6 


BLEEBING-EBGE P2P BitTorrent peer sync 


2007-02-11 18:21:01 


69.143.202.28 


41933 


86.123.192.184 


50000 


6 


BLEEBING-EBGE P2P BitTorrent peer sync 
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Example 2: Alerts Are Not Enough 




• Here the alert looks bad and no other alerts exist 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS 
Win32 . Bagle . f ( .AH, .AJ, Trojan. Lodear .D) Trojan Activity - download attempt"; 
flow : established, to_server; uricontent : "/z .php" ; nocase; classtype:trojan-activity; 
reference : url , www . trendmicro . com . au/ consumer /vinf o/encyclopedia . php?LYstr=VMAINDATA 
&vNav=3&VName=TROJ_BAGLE . AH; 

reference: url, Symantec. com/avcenter/venc/data/trojan. lodear .d.html; sid:2002699; 
rev : 2 ; ) 

Count :1 Event#l. 166468 2007-02-14 02:42:45 

BLEEDING-EDGE VIRUS Win32 .Bagle . f ( .AH, .AJ, Trojan . Lodear .D) Trojan Activity - download 

attempt 
69.143.202.28 -> 72.3.247.18 

IPVer=4 hlen=5 tos=0 dlen=597 ID=45433 flags=2 offset=0 ttl=63 chksum=14696 
Protocol: 6 sport=39684 -> dport=80 



Seq=485697299 Ack 
Payload: 

47 45 54 20 2F 7A 
35 35 44 35 33 43 
54 50 2F 31 2E 30 
77 2E 6A 69 67 7A 
73 65 72 2D 41 67 
6C 61 2F 35 2E 30 
46 72 65 65 42 53 
2D 55 53 3B 20 72 
20 47 65 63 6B 6F 
46 69 72 65 66 6F 
. . .continued. . . 



=4282992985 Off=8 Res=0 Flags=***AP*** Win=5840 urp=31333 chksum=0 



2E 70 68 70 3F 69 3D 44 45 30 GET /z.php?i=DE0 

35 46 42 26 7A 3D 31 20 48 54 55D53C5FB&z=l HT 

0D 0A 48 6F 73 74 3A 20 77 77 TP/1 . . . Host : ww 

6F 6E 65 2E 63 6F 6D 0D 0A 55 w. jigzone . com. .U 

65 6E 74 3A 20 4D 6F 7A 69 6C ser-Agent : Mozil 

20 28 58 31 31 3B 20 55 3B 20 la/5.0 (Xll; U; 

44 20 69 33 38 36 3B 20 65 6E FreeBSD i386; en 

76 3A 31 2E 38 2E 30 2E 37 29 -US; rv: 1.8. 0.7) 

2F 32 30 30 36 30 39 32 35 20 Gecko/20060925 

78 2F 31 2E 35 2E 30 2E 37 0D Firefox/1 . 5 . . 7 . 
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Example 2: Alerts Are Not Enough 



. . .continued. . 
OA 41 63 63 65 
6C 2C 61 70 70 
6C 2C 61 70 70 
74 6D 6C 2B 78 
6C 3B 71 3D 30 
69 6E 3B 71 3D 
6E 67 2C 2A 2F 
63 65 70 74 2D 
6E 2D 75 73 2C 
63 63 65 70 74 
67 7A 69 70 2C 
63 65 70 74 2D 
4F 2D 38 38 35 
3D 30 2E 37 2C 
65 70 2D 41 6C 
69 61 3A 20 31 
74 61 6F 73 65 
33 31 32 38 20 
53 54 41 42 4C 
61 72 64 65 64 
36 38 2E 32 2E 
6E 74 72 6F 6C 
35 39 32 30 30 
6E 3A 20 6B 65 
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OD 
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56 
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20 
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2E 


35 


2E 


45 


39 
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OD 


OA 
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46 


6F 
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77 


2D 
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6F 


72 
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20 
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39 
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35 


OD 
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43 
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65 


2D 


43 


6F 


3A 


20 
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74 
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69 
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OD 


OA 


OD 



. Accept : text /xm 
1, application/xm 
1, application/xh 
tml+xml r text /htm 
l;q=0. 9, text/pla 
in; q=0 . 8, image/p 
ng, */*; q=0 . 5 . .Ac 
cept-Language : e 
n-us, en; q=0 . 5 . .A 
ccept -Encoding : 
gzip, deflate . .Ac 
cept-Charset : IS 
0-8859-1, utf-8;q 
=0.7,*;q=0.7. .Ke 
ep-Alive: 300. .V 
ia : 1.1 macmini . 
taosecurity . com : 
3128 (squid/2.5. 
STABLE 9) . .X-Forw 
arded-For: 192.1 
68 .2 .5. .Cache-Co 
ntrol : max-age=2 
59200. .Connectio 
n: keep-alive. . . 



What are you supposed to do now? 
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Example 2: Alerts Are Not Enough 



SRC: GET /z.php?i=DE055D53C5FB&z=1 HTTP/1.0 

SRC: Host: www.jigzone.com 

SRC: User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; ru:1 .8.0.7) Gecko/20060925 

Firef ok/1. 5.0.7 

SRC: Accept: 

text/xml,application/Kml,application.<xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png, A .^;q= 

0.5 

SRC: Accept-Language: en-us,en;q=0.5 

SRC: Accept-Encoding: gzip,deflate 

SRC: Accept Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 

SRC: Keep-Aliue: 300 

SRC: Via: 1.1 macmini.taosecurity.com:3128 (squid/2.5.STABLE9) 

SRC: X Forwarded For: 192.168.2.5 

SRC: Cache-Control: max-age=259200 

SRC: Connection: keep-aliue 

SRC: 

SRC: 

DST: HTTP/1.1 200 OK 

DST: Date: Wed, 14 Feb 2007 02:42:52 GMT 

DST: Server: Apache/2.0.48 (Red Hat) 

DST: X Powered By: PHP/4.3.11 

DST: Vary: Accept-Encoding 

DST: Content-Encoding: gzip 

DST: Content-Length: 2320 

DST: Connection: close 

DST: Content-Type: text/html; charset=UTF-8 

DST: 

Un3 I ■ ■■■■■■■■■■■ riSal ■xPhbi\j^ I ■^■■■■■■■■■b I— P ■■■■■!! ■ ■ ■ I • J J-l ■ ■ I I U ■ ' i ■ ■ ■ or ■ ~ -J ■ U ' J-*l |J ■ ■ I M bIb - — Jari— ■ ■ ■ ■■■! !■■■■■■ ■ ■ £ ■ "i_r ■ ■ '"n ■*£ 

DST: 

....).2.V...4/oO.>...i..sc A 7.tf.?.OB.-...Gy.4< )....!.n D3 /....x*.Q.u.8...~* H@tf.".>..E...9 zf*...r 



If you collect full content data you can 
reconstruct the application level view of the 
security event 

Note the page is gzip-encoded 
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Example 2: Alerts Are Not Enough 



If you collect session data you can see other sessions beyond the one 
indicated by the IDS alert 



Start Time 


End Time 


| Src IP 


SPort 


|DstlP 


|DPort 


|Pr 
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| S Byt... 
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2007-02-14 02:42:17 


69.143.202.28 


39661 


72.3.247.18 


80 


6 


5 


572 


5 


527 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39662 


72.3.247.18 


80 


6 


7 


505 


6 


2436 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39663 


72.3.247.18 


80 


6 


8 


502 


7 


2983 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39664 


72.3.247.18 


80 


6 


7 


501 


7 


2944 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39665 


72.3.247.18 


80 


6 


6 


486 


6 


1602 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39666 


72.3.247.18 


80 


6 


5 


502 


5 


641 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39667 


72.3.247.18 


80 


6 


8 


507 


7 


3778 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39668 


72.3.247.18 


80 


6 


5 


501 


5 


1431 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39669 


72.3.247.18 


80 


6 


5 


500 


5 


630 


2007-02-14 02:42:17 


2007-02-14 02:42:17 


69.143.202.28 


39670 


72.3.247.18 


80 


6 


5 


502 


5 


574 


2007-02-14 02:42:18 


2007-02-14 02:42:18 


69.143.202.28 


39674 


72.3.247.18 


80 


6 


5 


452 


5 


1346 


2007-02-14 02:42:40 


2007-02-14 02:42:40 


69.143.202.28 


39683 


72.3.247.18 


80 


6 


7 


521 


6 


2518 


2007-02-14 02:42:45 


2007-02-14 02:42:45 


69.143.202.28 


39684 


72.3.247.18 *4- 


— 80 


6 


7 


545 


6 


2563 


2007-02-14 02:42:45 


2007-02-14 02:42:45 


69.143.202.28 


39685 


72.3.247.18 


80 


6 


8 


510 


8 


7130 


2007-02-14 02:42:45 


2007-02-14 02:42:46 


69.143.202.28 


39687 


72.3.247.18 


80 


6 


6 


510 


6 


1602 



Is this enough to decide if there is a security problem? 
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Example 2: Alerts Are Not Enough 



Visiting the URL in the original alert shows a Valentine Rose jigsaw puzzle 

Sometimes solving a case requires reproducing the suspicious activity in a 
controlled environment 



JigZone: Valentine Rose Jigsaw Puzzle - Mozilla FirefoK 



File Edit View Go Bookmarks Tools Help 



<? 



| § http://www. jigzone.com//z.php?i=DE055D53C5FB&z=l 



11 © 



Go 
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Example 3: What Happened Next? 



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE TROJAN 

Order jack Reporting User Activity"; flow : established, to_server; 

uricontent : "options .cgi?user_id=" ; nocase; uricontent : "&version_id="; nocase; 

uricontent : "&passphrase=" ; nocase; 

reference : url, www . avira . com/en/threats/section/f ulldetails/id_vir/1724/tr_dldr . orde 

r jack. a. html; classtype:trojan-activity; sid:2002854; rev:l;) 
/nsm/rules/cel433/bleeding-virus .rules : Line 354 



Count :1 Event#l. 175382 2007-02-21 17:32:47 

BLEEDING-EDGE TROJAN Orderjack Reporting User Activity 

69.143.202.28 -> 81.95.147.107 

IPVer=4 hlen=5 tos=0 dlen=187 ID=8939 flags=2 offset=0 ttl=62 chksum=9436 

Protocol: 6 sport=58307 -> dport=80 



Seq=2867320777 
Payload: 
47 45 54 20 2F 
69 6F 6E 73 2E 
3D 34 30 36 36 
38 31 38 34 34 
3D 30 30 30 31 
3D 66 6B 6A 76 
73 64 26 73 6F 
72 73 69 6F 6E 
30 66 33 39 66 



Ack=3541503528 Off=8 Res=0 Flags=***AP*** Win=33304 urp=48386 chksum=0 



GET /cgi-bin/opt 
ions . cgi?user_id 
=406685817312978 
81844 &version_id 
=0001&passphrase 
=fkjvhsdvlksdhvl 
sd&socks=7461&ve 
rsion=112&crc=a3 
0f39fc. 



63 


67 


69 


2D 


62 


69 


6E 


2F 


6F 


70 


74 


63 


67 


69 


3F 


75 


73 


65 


72 


5F 


69 


64 


38 


35 


38 


31 


37 


33 


31 


32 


39 


37 


38 


26 


76 


65 


72 


73 


69 


6F 


6E 


5F 


69 


64 


26 


70 


61 


73 


73 


70 


68 


72 


61 


73 


65 


68 


73 


64 


76 


6C 


6B 


73 


64 


68 


76 


6C 


63 


6B 


73 


3D 


37 


34 


36 


31 


26 


76 


65 


3D 


31 


31 


32 


26 


63 


72 


63 


3D 


61 


33 


63 


0A 
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Example 3: What Happened Next? 

Full content data shows the response from the Web server that options. cgi 
is unavailable, so the victim may not have reported its status 

|SRC: GET 

/cgi bin.'options.cgi ?user_id=40668581 731 297881 844&uersion_id=8801 &passphrase=fkjuhsdul 

ksdhulsd&socks=7461 &uersion=1 1 2&crc=a38f39fc 

SRC: 

DST: <!DOCTVPE HTML PUBLIC 'VIETFflDTD HTML 2.0//EH"> 

DST: <HTML><HEAD> 

DST: <TITLE>484 Hot Found<mTLE> 

DST: <fflEAD><BODY> 

DST: <H1 -Hot Found- H1> 

DST: The requested URL /cgi-bin/options.cgi was not found on this seruer.<P> 

DST: <HR> 

DST: 

DST: <^BODV><mTML> 

DST: 



Session data reveals the extent of the network-based evidence 



Start Time 



End Time 



SrclP 



SPort Dst IP 



DPort 



2007 02 21 17:28:51 


2007-02-21 17:28:52 


69.143.202.28 


36248 


81.95.147.107 


80 


6 


5 


519 


4 


240 


2007-02-21 17:28:52 


2007-02-21 17:28:52 


69.143.202.28 


36249 


81.95.147.107 


80 


6 


6 


450 


4 


516 


2007-02-21 17:32:33 


2007-02-21 17:32:48 


69.143.202.28 


58307 


81.95.147.107 


80 


6 


5 


135 


4 


228 


2007-02-21 17:33:04 


2007-02-21 17:33:05 


69.143.202.28 


36256 


81.95.147.107 


80 


6 


5 


527 


4 


517 
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Example 4: Protocol Analysis Preprocessors 




Count :1 Event#l. 167160 2007-02-14 18:08:07 

ftp_pp: FTP command channel encrypted 

204.152.184.73 -> 69.143.202.28 

IPVer=4 hlen=5 tos=32 dlen=82 ID=44797 flags=2 offset=0 ttl=38 chksum=4347 

Protocol: 6 sport=21 -> dport=57229 

Seq=3439200498 Ack=3554780672 Off=8 Res=0 Flags=***AP*** Win=65535 urp=57883 chksum=0 

Payload: 

76 73 66 5F 73 79 73 75 74 69 6C 5F 72 65 63 76 vsf_sysutil_recv 

5F 70 65 65 6B 3A 20 6E 6F 20 64 61 74 61 _peek: no data 

• Full content data shows a normal FTP retrieval of a FreeBSD package 



SRC: RETR barnyard-sguil6-0.2.0.tbz 

SRC: 

DST: 227 Entering Passive Mode (204,152,184,73,136,122) 

DST: 

SRC: RETR barnyard-sguil6-0.2.0.tbz 

SRC: 

DST: 150 Opening BINARY mode data connection for barnyard sguil6 0.2.0.tbz (52013 bytes). 

DST: 

DST: 226 File send OK. 

psi: ftp.freebsd.org runs VSFTPD 

DST: 500 OOPS: 

DST: U sf_sysuti._reo_peek: no data vs f_ sysut i|_ re cv_peek: no data is SOme 

pi: VSFTP error that triggers Snort's ftp pp 

DST: 500 OOPS: 
DST: child died 
IdST: 
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Example 5: So You Like TCP Options... 




Count :1 Event#l. 161610 2007-02-12 00:46:29 

snort_decoder : Truncated Tcp Options 

201.235.7.45 -> 69.143.202.28 

IPVer=4 hlen=5 tos=32 dlen=64 ID=55026 flags=2 offset=0 ttl=103 chksum=23521 

Protocol: 6 sport=21142 -> dport=47820 



Seq=3375965127 Ack=557227574 Off=ll Res=0 Flags=***A**** Win=17520 urp=25587 chksum=0 
Payload: 



None 



A check for other alerts involving the same source show P2P activity 



2007-02-11 22:55:02 


69.143.202.28 


45457 


201.235.7.45 


21142 


6 


2007-02-11 22:55:02 


69.143.202.26 


45457 


201.235.7.45 


21142 


6 


2007-02-12 00:46:29 


201.235.7.45 


21142 


69.143.202.28 


47820 


6 


2007-02-12 01:34:12 


69.143.202.28 


48318 


201.235.7.45 


21142 


6 


2007-02-12 03:52:51 


201.235.7.45 


18563 


69.143.202.28 


6881 


6 


2007-02-12 03:52:51 


201.235.7.45 


18563 


69.143.202.28 


6881 


6 


2007-02-12 03:52:54 


201.235.7.45 


18573 


69.143.202.28 


6881 


6 


2007-02-12 03:52:54 


201.235.7.45 


18573 


69.143.202.28 


6881 


6 



BLEEDING EDGE P2P BitTorrent Traffic 
BLEEDING EDGE P2P BitTorrent Traffic 
snort_decoder: Truncated Tcp Options 
BLEEDING EDGE P2P BitTorrent Traffic 
BLEEDING EDGE SCAN HMAP -sS 
BLEEDING EDGE SCAN HMAP -f -sS 
BLEEDING EDGE SCAN HMAP -sS 
BLEEDING EDGE SCAN HMAP -f -sS 



The so-called Nmap alerts are P2P-related too 
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Example 5: So You Like TCP Options 

If you are really paranoid you can look for other sessions involving the 
source IP 



Start Time 




End Time 


SrclP 


SPort 


DstIP 


I DPort I 


3 r | SPc... 


S Byt... 


D Pc... 


DByt... I 


2007 02 12 00:08:01 


2007-02-12 00:08:05 


201.235.7.45 


10232 


69.143.202.28 


6881 6 3 





3 





2007-02-12 00:11:26 


2007-02-12 00:14:42 


69.143.202.28 


47017 


201.235.7.45 


21142 6 11 


384 


3 





2007-02-12 00:16:17 


2007-02-12 00:21:29 


69.143.202.28 


47080 


201.235.7.45 


21142 6 36 


27994 


18 


1399 


2007-02-12 00:21:17 


2007-02-12 00:21:18 


69.143.202.28 


47124 


201.235.7.45 


21142 6 5 


48 


3 





2007-02-12 00:26:18 


2007-02-12 00:35:10 


69.143.202.28 


47385 


201.235.7.45 


21142 6 318 


435283 


97 


1988 


2007 02 12 00:31:18 


2007-02-12 00:34:40 


69.143.202.28 


47589 


201.235.7.45 


21142 6 12 


432 


3 





2007-02-12 00:31:29 


2007-02-12 00:31:29 


201.235.7.45 


21142 


69.143.202.28 


47080 6 1 











2007-02-12 00:36:19 


2007-02-12 00:43:05 


69.143.202.28 


47635 


201.235.7.45 


21142 6 42 


38925 


20 


997 


2007-02-12 00:41:38 


2007-02-12 00:41:39 


69.143.202.28 


47765 


201.235.7.45 


21142 6 6 


48 


4 


68 


2007-02-12 00:46:08 


2007-02-12 00:45:08 


201.235.7.45 


21142 


69.143.202.28 


47385 6 1 











2007-02-12 00:46:24 


2007-02-12 01:03:09 


69.143.202.28 


47820 


201.235.7.45 


21142 6 939 


1318... 


361 


2912 


2007-02-12 00:51:39 


2007-02-12 00:51:41 


69.143.202.28 


47932 


201.235.7.45 


21142 6 4 


48 


3 





2007-02-12 00:56:39 


2007-02-12 00:56:41 


69.143.202.28 


48007 


201.235.7.45 


21142 6 4 


48 


3 





2007-02-12 01:01:23 


2007 02 12 01:04:26 


69.143.202.28 


48045 


201.235.7.45 


21142 6 10 


336 


3 





2007-02-12 01:06:24 


2007-02-12 01:13:42 


69.143.202.28 


48125 


201.235.7.45 


21142 6 115 


140794 


49 


1360 


2007-02-12 01:11:25 


2007-02-12 01:11:27 


69.143.202.28 


48224 


201.235.7.45 


21142 6 4 


48 


3 





2007-02-12 01:13:04 


2007-02-12 01:13:04 


201.235.7.45 -*— 


— 21142 


69.143.202.28 


47820 6 1 











2007-02-12 01:16:44 


2007-02-12 01:40:12 


69.143.202.28 


48318 


201.235.7.45 


21142 6 1398 


1963... 


499 


3540 



Port 21 142 TCP and 6881 TCP indicate P2P activity 
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Example 5: So You Like TCP Options 



No. r 



ime Source 



Destination 



Protocol 



Info 



1 
2 
3 
4 



20( 
20( 
20( 
20< 

5 20( 

6 20( 

7 20( 
S 20( 
9 20( 

10 20( 

11 20( 

12 20( 

13 20( 

14 20( 

15 20( 

16 20( 

17 20( 
IS 20( 

19 20( 

20 20( 

21 20( 

22 20( 

23 20( 

24 20( 



25 20( 



69.143 
201.23 
69.143 
69.143 
201.23 
69.143 
69.143 
69.143 
201.23 
69.143 
201.23 
69.143 
201.23 
201.23 
69.143 
69.143 
69.143 
69.143 
201.23 
69.143 
69.143 
69.143 
201.23 
69.143 
69.143 



.202.28 

5.7.45 

.202.23 

.202.28 

5.7.45 

.202.28 

.202.23 

.202.28 

5.7.45 

.202.23 

5.7.45 

.202.23 

5.7.45 

5.7.45 

.202.23 

.202.23 

.202.23 

.202.28 

5.7.45 

.202.23 

.202.28 

.202.23 

5.7.45 

.202.23 

.202.23 



201.23 
69.143 
201.23 
201.23 
69.143 
201.23 
201.23 
201.23 
69.143 
201.23 
69.143 
201.23 
69.143 
69.143 
201.23 
201.23 
201.23 
201.23 
69.143 
201.23 
201.23 
201.23 
69.143 
201.23 
201.23 



5.7.45 

.202.23 

5.7.45 

5.7.45 

.202.28 

5.7.45 

5.7.45 

5.7.45 

.202.23 

5.7.45 

.202.23 

5.7.45 

.202.28 

.202.23 

5.7.45 

5.7.45 

5.7.45 

5.7.45 

.202.23 

5.7.45 

5.7.45 

5.7.45 

.202.28 

5.7.45 

5.7.45 



TCP 

TCP 

TCP 

TCP 

BitTOT 

TCP 

BitTor 
BitTor 

TCP 

BitTor 
BitTor 

TCP 
TCP 

BitTor 

TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 



47320 
21142 
47320 
[TCP 
Hands 
47320 
conti 

[TCP 
[TCP 

Bitfi 

[TCP 
47320 
21142 
inter 
47320 
[TCP 
[TCP 
[TCP 
21142 
[TCP 
[TCP 
[TCP 
21142 
[TCP 
[TCP 



> 2114 

> 4732 

> 2114 
segment 
hake 

> 2114 
nuation 
Retrans 
Previou 
eld, l_e 
Retrans 

> 2114 

> 4782 
ested 

> 2114 
segment 
segment 
segment 

> 4732 
segment 
segment 
segment 

> 4782 
segment 
segment 



2 [SYN] 

[SYN, 

2 [ACK] 

of a r 

2 [ACK] 

data 

mission 

s segme 

n:0xl50 

mission 

2 [ACK] 

[ACK] 

Request 

2 [ACK] 

of a r 

of a r 

of a r 

[ACK] 

of a r 

of a r 

of a r 

[ACK] 

of a r 

of a r 



Seq=557219919 Len=0 MSS=1460 
ACK] Seq=3375964673 Ack = 5572: 
Seq=557219920 Ack=3375964679 
eassembled pdu] 

Seq=557219963 Ack=3375964747 



fl 



] continu 
nt lost] 

unchoke 
] Bitfiel 

Seq=5572 

Seq=3375 
, Piece ( 

Seq=5572 
eassemble 
eassemble 
eassemble 

Seq=3375 
eassemble 
eassemble 
eassemble 

Seq=3375 
eassemble 
eassemble 




27 20( 69.143.202.23 201.235.7.45 



[TCP segment of a reassemble 




Acknowledgement number: 5 57227574 
Header length: 32 bytes 

m Flags: 0x10 (ACK) If \/ni I rpallv 

Window size: 17520 IT y 0U reail y 

checksum: 0x3adS [correct] nfllV cinSWGT 

B options: (12 bytes) * 

NOP 
NOP 



at ion data 

21142 > 47320 [ACK] 

d, Len:0xl50 

20334 Ack=3375965033 

965038 Ack=557220334 

ldx:0x272,Begin:0x30 

20334 Ack=3375965127 

d PDU] 

d PDU] 

d PDU] 

965127 Ack=557223230 

d PDU] 

d PDU] 

d PDU] 

965127 Ack=557224673 

d PDU] 

d PDU] 

BMWWM1 

d PDU] _rj 



really care about the TCP options the 
is reviewing the full content data 



0010 
0020 
0030 
0040 



00 34 d6 db 40 00 67 06 
ca lc 52 96 ba cc c9 39 
44 70 3a dS 00 00 01 01 



5c 04 c9 eb 07 2d 4 5 Sf 
23 c7 21 36 9e 36 80 10 



oupynyiiL ^:uu/ ruuMciiu dujuium 



.4. .©. g. \ -E. 

. .R 9 #. !6.6. . 

DC 





Example 6: Odd UDP Traffic 




alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg: "MS-SQL probe response overflow 

attempt"; content: " | 05 | "; depth: 1; byte_test : 2, >, 512, 1; content: " | 3B| "; distance: 0; 

isdataat : 512, relative; content: !"|3B|"; within: 512; reference rbugtraq, 9407; 

reference : eve, 2003-0903; reference rnessus, 11990; 

reference :url, www. microsoft . com/technet/security/bulletin/MS04-003 .mspx; 

classtype : attempted-user; sid: 2329; rev: 7; ) 
/nsm/rules/cel433/sql . rules : Line 66 



Count :1 Event#l. 164746 2007-02-12 16:44:49 

MS-SQL probe response overflow attempt 

68.101.70.85 -> 69.143.202.28 

IPVer=4 hlen=5 tos=0 dlen=640 ID=30017 flags=0 offset=0 ttl=lll chksum=14790 

Protocol: 17 sport=2361 -> dport=48549 



len=620 chksum= 


=55376 






















Payload: 






























05 2B 


02 


95 


CD 


F8 


EA 


33 


04 


53 


69 


0A 


5E 


6F 


AD 


2C 


. 1 ..... *J . Ij Jm . Kj . J 


ID 53 


24 


82 


2E 


C5 


1C 


1A 


16 


BD 


B8 


99 


DA 


65 


Al 


43 


.S$ e.C 


F0 9F 


62 


ID 


OC 


5C 


32 


CF 


54 


7F 


A8 


9E 


EB 


IB 


CC 


51 


. . *>J m • \ M • X • • • • • • ^J 


CF E7 


58 


B3 


EF 


4D 


91 


4E 


99 


63 


84 


BA 


1C 


15 


65 


D8 


. .X. .M.N.c. . . .e. 


3B 78 


5A 


CA 


30 


53 


DE 


68 


32 


A7 


71 


12 


3B 


87 


1C 


C7 


;xZ . 0S.h2 .q. ; . . . 


E8 78 


33 


95 


42 


61 


B6 


11 


OC 


9C 


04 


45 


B4 


ID 


Al 


20 


• 2£«5 • dSL Hi... 


E8 5E 


DD 


D2 


6D 


3C 


81 


8A 


5B 


5B 


AF 


D5 


E9 


31 


4B 


10 


. A .. m< ..[[... IK . 


E4 CA 


B4 


40 


IE 


6C 


65 


CA 


9F 


7C 


B8 


B5 


4E 


28 


2D 


CF 


. . . @ . le. . | . .N(- . 


D4 F0 


62 


30 


72 


04 


C8 


9A 


E3 


32 


81 


9A 


A3 


23 


48 


82 


. .JDUr. . . . ^ . . . fp ri . 


BE 21 


49 


51 


BE 


2A 


3A 


4C 


91 


EA 


50 


FE 


44 


D2 


DB 


3C 


.!IQ.*:L..P.D..< 


0D B8 


64 


ID 


Bl 


27 


22 


91 


B6 


54 


2C 


El 


0E 


B0 


AF 


2E 


d ' " T 


. . .continued. . . 
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Example 6: Odd UDP Traffic 





.continued. . 




















A9 


15 


4E 


51 


FC 


E6 


63 


59 


8E 


BA 


96 


E2 


34 


AE 


68 


Al 


8A 


F3 


AB 


D7 


A4 


E5 


FC 


EC 


09 


IE 


7C 


FF 


4B 


70 


DO 


FB 


18 


30 


61 


DB 


6F 


AE 


89 


4F 


AA 


33 


OC 


4A 


DC 


42 


4A 


BC 


FB 


38 


70 


D5 


75 


2D 


B2 


4F 


76 


06 


6F 


03 


17 


86 


C2 


BA 


83 


9B 


90 


91 


6F 


E4 


B3 


51 


A2 


17 


6F 


59 


IE 


Al 


E7 


OC 
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72 
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Example 6: Odd UDP Traffic 




Time 


Source 


Destination 


Protocol 


Info 


2007- 


-02 


-12 


11 


3 69.143. 


202.28 


68.101. 


70.85 


UDP 


source 


port : 


48549 


Destination port 


: 2361 


2007- 


-02 


-12 


11 


3 68.101. 


70.85 


69.143. 


202.28 


UDP 


source 


port : 


2361 


Destination port : 


48549 


2007- 


-02 


-12 


11 


3 69.143. 


202.28 


68.101. 


70.85 


UDP 


source 


port : 


48549 


Destination port 


: 2361 


2007- 


-02 


-12 


11 


3 68.101. 


70.85 


69.143. 


202.28 


UDP 


source 


port : 


2361 


Destination port : 


48549 


2007- 


-02 


-12 


11 


4 69.143. 


202.28 


68.101. 


70.85 


UDP 


source 


port : 


48549 


Destination port 


: 2361 




2007- 


-02 


-12 


11 


5 69.143. 


202.28 


68.101. 


70.85 


UDP 


source 


port : 


48549 


Destination port 


: 2361 


2007- 


-02 


-12 


11 


5 68.101. 


70.85 


69.143. 


202.28 


UDP 


source 


port : 


2361 


Destination port : 


48549 


2007- 


-02 


-12 


11 


5 69.143. 


202.28 


68.101. 


70.85 


UDP 


source 


port : 


48549 


Destination port 


: 2361 


2007- 


-02 




11 


5 68.101. 


70.85 


69.143. 


202.28 


UDP 


source 


port : 


2361 


Destination port: 48549 


<\ 


























1 jJ 



d 



J 



H Frame 6 

H Ethernet 

B internet 

versio 

Header 

H Differ 

Total 



(654 byt 
II, src 
Protoco 

n: 4 
length: 

entiated 

Length 



es on wire, 654 bytes captured) 

00:01:5c:22:aa:c2 (00:01: 5c:22 :aa:c2), Dst : 00:02 :b3 :0a:cd: 5e (00:02 :b3 :0a:cd: 5 
1, Src: 68.101.70.85 (68.101.70.85), Dst: 69.143.202.28 (69.143.202.28) 



20 bytes 
services Field: 
64 



0x00 (DSCP 0x00: Default; ECN: 0x00) 



] Flags : 0x00 
Fragment offset: 
Time to live: 111 
Protocol : UDP (0x11) 
H Header checksum: 0x39c6 [correct] 
Source: 68.101.70.85 (68.101.70.85) 
Destination: 69.143.202.28 (69.143.202.28) 
H User Datagram Protocol, src Port: 2361 (2361), 
Data (612 bytes) 

iJ 



Use IP ID to match alert packet 



Dst Port: 48549 (48549) 



0000 
0010 
0020 
0030 
004 
0050 
0060 
0070 
0080 
0090 
OOaO 
OObO 
OOcO 
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91 4e 99 
de 68 32 
b6 11 0c 
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32 81 
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48 82 
db 3c 



aa c2 08 
44 65 46 
05 2b 02 
Id 53 24 
fO 9f 62 
cf e7 58 
3b 78 5a 
e3 78 33 
e8 5e dd 
e4 ca b4 
d4 fO 62 
be 21 49 
Od b3 64 



00 4 5 00 
55 45 8f 
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30 72 04 
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Id bl 27 
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Example 6: Odd UDP Traffic 
Only one alert involved source IP 



Date/Time 



SrclP 



SPort Dst IP 



DPort 



Event Message 



2007 02 12 16:44:49 68.101.70.85 



2361 



69.143.202.28 



48549 17 MS-SQL probe response overflow attempt 



Seven similar UDP sessions involving source IP 



I Start Time 


End Time 


SrclP 


| SPort 


| Dst IP 


| DPort | Pr 


S Pc... S Byt.„J|_l 


J Pc... | D Byt... I 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 39 


I 620 


2007-02-12 16:38:48 


2007-02-12 16:38:48 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 


2007-02-12 16:44:49 


2007-02-12 16:44:49 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 


2007-02-12 16:50:50 


2007-02-12 16:50:50 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 


2007-02-12 16:56:52 


2007-02-12 16:56:52 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 


2007-02-12 17:03:35 


2007-02-12 17:03:35 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 


2007-02-12 17:09:54 


2007-02-12 17:09:54 


69.143.202.28 


48549 


68.101.70.85 


2361 17 


1 40 


I 620 
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Example 6: Odd UDP Traffic 

Query for sessions involving our IP around the time of 
the original alert 

Investigating this Web session might be interesting 



1 Start Time 


End Time 


| Src IP 


| SPort 


| DstIP 


| DPort 


Pr 


J SPc... 


S Byt... 


| D Pc... 


| D Byt... I 


2007-02-12 16:32:47 


2007-02-12 16:32:57 


69.143.202.28 


48549 


207.216.88.94 


44481 




2 


458 


2 


45 


2007-02-12 16:32:47 


2007-02-12 16:32:57 


69.143.202.28 


48549 


74.98.160.101 


16229 




3 


487 


3 


122 


2007-02-12 16:32:47 


2007-02-12 16:32:47 


69.143.202.28 


48549 


164.67.198.69 


12530 




1 


40 


1 


26 


2007-02-12 16:32:47 


2007-02-12 16:32:47 


69.143.202.28 


48549 


69.110.16.214 


19695 




1 


40 


1 


25 


2007-02-12 16:32:47 


2007-02-12 16:32:47 


69.143.202.28 


48549 


72.186.73.93 


28432 




1 


40 


1 


26 


2007-02-12 16:32:47 


2007-02-12 16:32:57 


69.143.202.28 


48549 


24.201.209.164 


56094 




2 


458 


2 


45 


2007-02-12 16:32:47 


2007-02-12 16:32:57 


69.143.202.28 


48549 


24.23.73.110 


41229 




2 


458 


2 


45 


2007-02-12 16:32:49 


2007-02-12 16:32:50 


69.143.202.28 


1110 


212.72.49.150 


80 <4- 


6 


5 


175 


5 


303 


2007-02-12 16:32:49 


2007-02-12 16:32:54 


69.143.202.28 


32769 


68.87.73.242 


53 




2 


80 


2 


128 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


76.170.32.8 


33364 




1 


64 




37 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


87.67.135.96 


13058 




1 


45 




436 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


160.87.34.52 


4775 




1 


38 




447 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


71.227.96.109 


11174 




1 


71 




55 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


195.132.250.140 


25625 




1 


40 




26 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


70.122.247.232 


63086 




1 


65 




28 


2007-02-12 16:32:49 


2007-02-12 16:32:49 


69.143.202.28 


48549 


68.101.70.85 


2361 




1 


39 




620 


2007-02-12 16:32:49 


2007-02-12 16:33:55 


69.143.202.28 


60931 


66.226.79.2 


443 


6 


14 


599 


9 


3824 


2007-02-12 16:32:52 


2007-02-12 16:32:53 


69.143.202.28 


1112 


209.160.40.62 


54376 


6 


9 


858 


8 


1014 


2007-02-12 16:32:52 


2007-02-12 16:32:53 


69.143.202.28 


1113 


195.215.8.153 


61775 


6 


8 


845 


8 


972 


2007-02-12 16:32:52 


2007-02-12 16:34:51 


69.143.202.28 


1114 


209.160.40.63 


51572 


6 


42 


1602 


44 


1456 


2007-02-12 16:32:52 


2007-02-12 16:32:52 


69.143.202.28 


48549 


209.6.147.46 


37867 


17 


1 


84 


1 


56 


2007-02-12 16:32:52 


2007-02-12 16:32:52 


69.143.202.28 


48549 


12.201.58.102 


28529 


17 


1 


84 


1 


56 
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Example 6: Odd UDP Traffic 



Port 80 TCP traffic shows Skype download 



Src IP: 

DstIP: 

Src Port: 

Dst Port: 

OS Fingerprint: 

OS Fingerprint: 




(c-69-1 43-202-28.hsd1 .ua.comcast.net) 
(Unknown) 



69.143.202.28 
212.72.49.150 
1110 
80 

69.143.202.28:1110 -Windows 2000 SP2+, XP SP1+ (seldom 98) 
-> 212.72.49.150:80 (distance 2, link: ethernet/modem) 




SRC: GET 

/ui/0/3.0.0.21 6/en/getlatestversion ?uer=3.0.0.21 6&uhash=1 c5f df79691 1 dd6a7462b1 72f 5f2aa477 

HTTP/1. 1| 

SRC: User-Agent: Skype. 3.0 

SRC: Host: ui.skype.com 

SRC: Cache-Control: no-cache 

SRC: 

SRC: 

DST: HTTP/1.1 200 OK 

DST: Date: Mon, 12 Feb 2007 16:32:55 GMT 

DST: Server: Apache 

DST: Last Modified: Thu, 08 Feb 2007 14:10:40 GMT 

DST: ETag: "cb32 9 9ba29800" 

DST: Accept-Ranges: bytes 

DST: Content-Length: 9 

DST: X-Debug: Served from cache 

DST: Connection: close 

DST: Content-Type: text/plain; charset=utf-8 

DST: Content-Language: en 

DST: 

DST: 2.0.0.105 
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Example 7: SANS ISC TCP Options 

Sometimes the best investigative method is to step away 
from Wireshark and talk to a human 

2 March 2007: SANS ISC reports "generally" seeing 
SYN ACK traffic from sources "80, 6667, 6666, and 443" 
from 129.250.128.21 (compton.ameri.ca) 

I wrote about this in 1999 and taught it at SANS in 2000 



SYN Flood Against Open Port 



SYN Flood Against Closed Port 



( Unknown \ 
I Attacker J 



2. SYN 
packets 
with source 
IPs from your 
network 




1. Ping network 1 
non-responsivi 
assumed non- 
existent IPs 




I Your \ 

I Network J 



3. SYN ACK 
packets 



This scenario assumes the SYN 
flooding tool tries to find non-existent 
IPs. In other words, it doesnt 
randomly choose IPs to spoof. 




2. SYN 
packets 
with source 
IPs from your 
network 
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1. Ping network 1 
non- responsive 
assumed non- 
existent IPs 



f Your \ 

I Network ] 



3. RSTACK 
packets 



This scenario assumes the SYN 
flooding tool tries to find non-existent 
IPs. In other words, It doesnt 
randomly choose IPs to spoof. 




Example 7: SANS ISC TCP Options 



SANS basically ignores me, so I contact the owner of 

compton.ameri.ca (Brad Dreisbach) who says: 

- "/' have been getting tcp syn attacked for about 3 weeks now. i 
have re-installed the OS on the host just to be safe, but im fairly 
sure my systems are secure, i have also taken measures with 
my upstream, whom i also work for, to migitate the attack, some 
stuff is still getting through but at this point im just waiting for the 
attackers to give up... " 

Brad sends me a trace that also shows an ACK flood 
against his host from other parties 

SANS still ignores me, never posts additional details on 
isc.sans.org 
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Example 7: SANS ISC TCP Options 
ShadowServer project sends me bot net C&C traffic 

Feb 26 16:59:16 xx.xx.xx.xx (xx.xx.xx.xx: 6667) : ESP | 846305 !njhvef@xx.xx.xx.xx 
PRIVMSG ##r0x## :nzm 

(tcp.plg) »» Done with ack flood to IP: 129.250.128.21. Sent: 19186 packet (s) @ 
2KB/sec (1MB) . 

Feb 26 16:59:16 xx.xx.xx.xx: 6667 : ESP | 846305 !njhvef @xx.xx.xx.xx PRIVMSG ##r0x## 

:nzm (tcp.plg) »» Done 

with ack flood to IP: 129.250.128.21. Sent: 19186 packet (s) @ 2KB/sec (1MB). 

Feb 26 16:59:23 xx.xx.xx.xx: 6667 : ESP | 187844 !guwcpbmq@xx.xx.xx.xx PRIVMSG ##r0x## 

:nzm (tcp.plg) »» 

Done with ack flood to IP: 129.250.128.21. Sent: 49633 packet (s) @ 7KB/sec (2MB). 

Feb 26 16:59:24 xx.xx.xx.xx (xx.xx.xx.xx: 6667) : ESP | 187844 !guwcpbmq@ xx.xx.xx.xx 
PRIVMSG ##r0x## :nzm 

(tcp.plg) »» Done with ack flood to IP: 129.250.128.21. Sent: 49633 packet (s) @ 
7KB/sec (2MB) . 



Feb 26 16:59:52 xx.xx.xx.xx: 6667 :PRT | 113722 ! owfxzrp@xx.xx.xx.xx. rev. xxximus .pt 
PRIVMSG ##r0x## :nzm 

(tcp.plg) »» Done with ack flood to IP: 129.250.128.21. Sent: 47952 packet (s) @ 
7KB/sec (2MB) . 



/ 



Feb 26 16:59:52 xx.xx.xx.xx (xx.xx.xx.xx: 6667) 

:PRT| 113722 ! owfxzrp@xx.xx.xx.xx. rev. xxximus .pt PRIVMSG 

##rOx## :nzm (tcp.plg) »» Done with ack flood to IP: 129.250.128.21. Sent: 47952 

packet (s) @ 7KB/sec (2MB). 
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Example 7: SANS ISC TCP Options 




TCP Bad Options Follow-up 



Att, 



* rrrnt n 



WE3V7EK 




Overview: 

* All packets reported are SYN/ACKs which is what the analysis is based 
on below. 

* All Packets have the same bad TCP option combination as shown below 



0000 00 01 c9 eO 58 00 00 90 69 77 44 be 08 00 45 00 ....X...iwD...E. 

0010 00 30 24 d9 40 00 66 06 e7 ab 89 dO 55 55 Oa 00 .0$,@.f UU.. 

0020 If Iela0b04d7 9f0c97c5 99a8 12 17 70 12 p. 

0030 40 00 39 56 00 00 02 04 05 b4 01 02 04 03 @.9V 

Michal Zalewski's Museum of Broken Packets shows 
traffic caused by juno-z DoS tool 

- http://packetstormsecurity.org/DoS/juno-z. 1 01 f.c 

0000 XX XX XX XX XX XX XX XX XX XX XX XX 08 00 45 00 E. 

0010 00 30 6f bb 40 00 7f 06 63 b6 40 be 19 30 XX XX . 0o.@ 

0020 XX XX 04 59 01 ea 10 10 02 39 00 00 00 00 70 02 . . .Y. 

0030 40 00 02 3b 00 00 02 04 05 b4 01 02 04 03 .. .. @ . . ; . 



c.@ 
.9. 
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Example 7: SANS ISC TCP Options 



At the end of the day we have... 

- Backscatter traffic seen by various sites, reported to SANS ISC 

- Report from the victim of a DoS attack that he was flooded by 
multiple methods (including IPv6!) for three weeks 

- Traffic from DoS victim showing an ACK flood 

- Botnet C&C traffic showing bots attacking victim via ACK flood 

- Correlation with other traffic and identification of juno-z DoS tool 



ation " Resk 



* Traininq " MenLonnq * CErtiFicaticn 




TCP Bad Options Follow-up 



: PREVIOUS I NEXT 



*,>; 



& 






TCP Bad Options Follow-up 






9 




Overview : 

* All packets reported are 5YN/ACKs which is what the analysis is based 
on below. 



+ All Packets have the same bad TCP option combination as shown below: 



OOOO 00 01 c9 eO 38 00 00 908977 44 be 08 00 45 00 ....X..JwD...E. 

0010 00 3024d9 40 00G6 0Ge7ab89d0 55550aOO JO$j@Lf.....UU.. 

0020 If le Ia0b04 d7 9f0c97 c5 99a8 12 17 70 12 p. 

0030 40 003956 00 00 02 04 05 b4 01 02 0403 @.9V 
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Conclusion 

If you're not stopping absolutely everything that's 
malicious, you're either blindly permitting it or perhaps 
alerting on some of it 

Investigating those suspicious events requires trusted 
data, and the network can provide one (not "the") 
independent source 



Most 
Trusted 


/sercsorA 

/ Passive \ 

/ monitoring \ 

/ Systems \ 


y offering \ 
etc \ 


Low User 
Interaction 




/ Firewalls, "IPS," routes \ 
/ (especially w/ACLs), tayer \ 
/ 3 switches, possibly lays* \ 
/ 2 switches 






/ Systems expo 

/ Use 

/Devices wrth wnch users 
/ servKes as well - e 


Sfrv^rs 




Least 
Trusted ^ 


sing services to clients 

r Platforms 

i dkectly interact, posslb* 
g.MlcrosQftSWIB, P2P. 


. High U&er 
A Interaction 
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If You Thought I Was Going to Mention Gartner... 




2003 Gartner Press Release 

- "IDSs have failed to provide value relative to its costs and will be 
obsolete by 2005." (didn't happen) 

- "The Gartner Information Security Hype Cycle shows that IDS technology 
does not add an additional layer of security as promised by vendors. 
In many cases IDS implementation has proven to be costly and an 
ineffective investment." (probably true) 

- Gartner recommends that enterprises redirect the money they would have 
spent on IDS toward defense applications such as those offered by 
thought-leading firewall vendors that offer both network-level and 
application-level firewall capabilities in an integrated product." (going to 
happen, eventually) 



Media Relations 



Gartner Invest 

Make Better 
Investment Decisions 
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2003 Gartner Press Release, cont. 




"According to the Gartner Information Security Hype Cycle 
research, some of the problems associated with IDSs are: 

1 ) False positives and negatives 

2) An increased burden on the IS organization by requiring full-time 
monitoring (24 hours a day, seven days a week, 365 days a year) 

3) A taxing incident-response process 

4) An inability to monitor traffic at transmission rates greater than 600 
megabits per second" 

Comment: "Deep packet inspection firewalls" don't help 

1) False positives and negatives are unavoidable 

2) Constant vigilance is a requirement for any enterprise 

3) Incident response is always a PITA 

4) High rates is a technology issue common to any platform/^ 
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Gratuitous Critique of Commercial Products 



This is Cisco MARS -- please see 
taosecurity.blogspot.com/2007/02/earth-to-mars.html 
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1:400370^ Microsoft SQL Server Resolution Service Stack Overflow 
(Slammer/Sapphire worm)[q] 
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Gratuitous Critique of Commercial Products 
This is ArcSight -- how do you avoid GIGO? 
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Questions? 



KNOW YOUR NETWORK BEFORE AN INTRUDER DOES 



49.652146 19.145.15.199 
49.69927a 19.142.1.39 ■ 
49.6992.91 19.142.1.39 ■ 
41.336313 19.145.15.93 ■ 
43.336117 19.145.15.199 
43.336243 19.145.15.199 
44,563156 19.142.1.97 - 
46.253296 19.142.1.39 ■ 
46.25S219 19.142.1.39 ■ 
46.253292 19.142.1.39 ■ 
46.253396 19.142.1.39 ■ 
43.962933 19.142.1.97 ■ 



-> 216.63.1.299 DNS Standard query A z3n.pliatcanip.org 

> Z16. 63. 1.199 DNS Standard query A z3n.phatcamp.org 

> 216.63.1.199 DNS Standard query A z3n.pliatcainp.org 

> 37.113.199.239 DNS Standard query A z3n.phatcainp.org 
-> 37.113.199.239 DNS Standard query A z3n.phatcamp.on 
-> 37.113.199.239 DNS Standard query A z3n.phatcamp.or 

> 19.145.15.199 DNS Standard query A z3n.phatcamp.org 

> 37.113.199.239 DNS Standard query A z3n.phatcamp.org 

> 37.113.199.239 DNS Standard query A z3n.phatcamp.org 

> 37.113.199.239 DNS Standard query A z3n.phatcamp.org 

> 37.113.199.239 DNS Standard query A z3n.phatcamp.org 

> 19.142.1.39 DNS Standard query A z3n.phatcamp.org 
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